Cyber Security - Regulation for "Mission Critical" Sectors (Critical Infrastructure)
*By Carlos Borella
The COVID-19 pandemic contributed to the explosion of cybersecurity cases and incidents in Brazil and around the world. We will not cite the incidents, as the focus of this article will be to present what is being done to raise the level of maturity of mission-critical sectors, more specifically for the electricity sector. The occurrences were diverse and many of them directly impacted the daily lives of the world population, as in some cases they reached critical mission processes. We can consider mission critical, operations that, when achieved, can generate not only financial impacts, but also social ones.
In view of this scenario, ANEEL (National Electric Energy Agency) in May 2020 opened a process, through a technical note (No. 50/2020) and process (48500.000027/2020-40) to obtain contributions for the promotion of a cybersecurity regulation for the Brazilian Electric System.
Although there is no specific regulation for the sector, in December 2019, the ONS (National System Operator) proposed the establishment of cyber controls for the actors (generators, transmitters, distributors and licensees) that make up the ONS operating environment. Following Decree 10222 of February 2020, it approved the National Cyber Security Strategy, in order to raise the level of protection of national critical infrastructures, providing greater resilience for mission-critical services.
In the international scenario, the references in cybersecurity for the electricity sector are the CIP (Critical Infrastructure Protection) standards of NERC (North American Electric Reliability Corporation) and the framework of the NIST (National Institute of Standards and Technology), this second is used largely by other sectors, including in Brazil.
In the same direction, ANATEL (National Telecommunications Agency), through Public Consultation nº 13/2020, also seeks to develop a cyber security regulation for the telecommunications sector.
For both agencies it will be a great challenge to determine the type of appropriate regulation (prescriptive, guidance, self-regulation, others), in order to avoid the determination of unenforceable obligations, squeezing the sector and imposing disproportionate costs on the actors (providers) involved, or some cases may inhibit the adoption of new technological solutions.
In this sense, ANEEL, continuing the process, held in March 2021 the opening of a Public Consultation in order to receive subsidies for the Regulatory Impact Analysis (RIA) on cybersecurity for the sector. As a result of the AIR it was expected to have alternatives to the “problem” to be solved – “the risk of cybersecurity incidents occurring in the electricity sector”.
Among the foreseen alternatives (1 - not regular; 2 - guide and disseminate best practices for cyber security for sector agents; 3 - regulate the items of the cyber security policy; and 4 - regulate more prescriptive requirements for cyber security), alternative number 3 showed the best performance and proved to be the most appropriate.
The defined alternative is to create regulatory frameworks (enforcement regulatory) to establish that industry players establish a cybersecurity policy. Initially, a standard regulatory process will be proposed and, subsequently, cybersecurity policies will be elaborated and implemented by the actors (agents) of the sector, with follow-up by ANEEL.
It is worth noting that any new regulation will need to be approved at the end of the process and given the need for adjustments to the internal systems of agents and other bodies in the electricity sector, the preliminary estimate is that the proposals will take effect from the second half of 2022.
Finally, it is essential that the cybersecurity policy to be implemented by the actors in the sector, take into account the type of service, size, exposure of the environment, so that they correctly assess their universe of risks, focusing efforts and applying the controls of efficiently, without tying up or even making the business unfeasible.
THE SAFEWAY is an Information Security company, recognized by its customers for offering high added value solutions, through Information Security projects that fully meet business needs. In these years of experience, we have accumulated, with great pride, several successful projects that have earned us credibility and prominence in our clients, which constitute in large part, the 100 largest companies in Brazil.
Safeway can help customers better understand their Information Security needs, as well as the tools needed to detect, respond and mitigate their risks involving threats and regulatory issues. In this way, our professionals and expert consultants can help eliminate small problems before they become big ones. Security, Vulnerabilities and Fraud Management actively analyzes your company's security through monitoring activities, mitigating risks and attacks in the IT environment.